PHP - Securing Php Includes

Hello everyone, this is my first post. This isn't just a simple post and leave, I'm looking to expand into this community and learn as much as I can. Well on to the problem at hand!

I decided to start with something simple as a login page and now want to expand it to make it fully functional.

Code: (index.html) [Select]
<html>
<head>
 <title>Deadnode.com</title>
 <LINK href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div style=width:150px;height:80px;position:absolute;left:40%;top:35%;
margin-left:-135px;margin-top:-50px;">

<div class="sidebox">
<div class="boxhead"><h2>Login Required</h2></div>
<div class="boxbody">
<form method="post" action="check.php">
<center><table>

<tr><td><font face="verdana,arial" size=-1>User:</td><td><input type="text" name="user"></td></tr>
<tr><td><font face="verdana,arial" size=-1>Pass:</td><td><input type="text" name="pwd"></td></tr>
<tr><td><font face="verdana,arial" size=-1>&nbsp;</td><td><font face="verdana,arial" size=-1><input type="submit" value="Login"></td></tr>
</table></center>
</form>
</div>

</div>
</body>
</html>

Code: (function.php) [Select]
<?php
function check() {
$admin="test";
$pass="test";
if ( $_POST["user"] == $admin & $_POST["pwd"] == $pass) {
  header('Location: output.php'); }
else {
  header('Location: index.html'); }
}
?>

Code: (check.php) [Select]
<?php
require('function.php');
check();
?>

This is just the code in it originally form; completely functional. I tried to use start_session() in my check() function. I know I should be using cookies, but I haven't gotten that far yet. Is it possible to use my check function as a way to block pages? I tried inserting the same code that is in check.php onto a html page, but I've had no luck with it redirecting back to my index.html page.

Hello,

I'm writing an application that will have to interact with my webserver and it will be using php to input data into the database and retrieve from as well. However, I'm not sure what is the best approach on securing my database from people sniffing while using my application. The only thing that I can do that is coming to mind is try to use a unique key as a password and have one of my GET vars be that password, but that is easily sniff-able.

What can I do to secure my database and prevent people from filling up my databases if they sniff out my password key? Is there any kind of encryption I can use that will defeat this?

Hello,  I am quite new to the php and website scene and i am trying to find the best way to validate and sterilize my $_post the way i have come up with is 

$id = filter_var(mysql_real_escape_string($_POST['id']),FILTER_SANITIZE_NUMBER_INT);

or

$id = mysql_real_escape_string($_POST['id']);
$id1 = filter_var($id,FILTER_SANITIZE_NUMBER_INT);

which will be the best way to do it or is there a better way.   Thanks 
Edited by AdamHull12, 04 October 2014 - 11:15 AM.

Hi,

I want to secure my AJAX routines which use the POST method. I want to prevent people from posting to my method with their own program/script.

I have read about making a random seed that the server knows to expect from authorized AJAX sources.

What is the basic code for doing this?

Hi my website offers the users to buy the videos. But the hackers are stealing my video links through view source. So there any option to hide my video links in view source and firebug etc..My videos are comign from amazon. and we are using JW  Players to play the videos
    The methods i have tried..
    1)Encode and decode the urls still the embed tag displays the complete path in firebug.
    2)Amazon provide signed url(temporary url)-Still have some problem in this..
    3)call the video through ajax call. Still the complete HTML code will be displayed in the firebug.
   
    please check here i have attached the firebug sample how it displays the code. Here we can find the complete video path in file: attribute in embed tag
   
    Is there any to hide the urls

I tried searching but came up empty handed, hoping you guys can give me some assistance.

I have a login script that I would like to lock down a little from flooding. What is the easiest way to do this? Something that will restrict the IP if the script encounters x amount of failed attempts in x amount of minutes.

Thanks!

Hello, I wish to secure the PayPal form button. As my button is used on a subscription website, I don't want people changing the parameters and code needs to be hidden from peering eyes with firebug for instance.


I have heard that you can pass the data to PayPal be given a CMD URL in return and you simply forward the user to such URL.


Anyone know of this? - or another method?


The button manager is not acceptable as the values will change in the hidden fields.


George.

I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them.

The files are
Form.HTML
Bin/config.php
Bin/mail.php

Any help is appreciated.

I am building an e-commerce site and have a security question.

My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments.

What is a *reasonable* way to protect this information?

I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet.

Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it?

Would that be secure enough for now?

Thanks,



Debbie

If I store a value in a hidden form control, and then use that as a means to pass the value to another PHP script, could that cause any security issues?

 

 

This topic has been moved to Application Design.

http://www.phpfreaks.com/forums/index.php?topic=346762.0

This topic has been moved to Ajax Help.

http://www.phpfreaks.com/forums/index.php?topic=358932.0

Sorry for the long message but I need HELP!!!  I'm somewhat familiar with HTML but very little in PHP, and even less in CSS. My eCommerce program is PHP based so I've had to learn to work with it. I did have someone else initially setup and create my website but over the past few years have taken it further myself. I've fiddled with some of it and looked up how to do certain things, such as have only one header and/or sidebar I can use for all pages. I use Dreamweaver CS4 and FTP with FileZilla. But I'm still new at this and have run into a couple of issues.   My webhost is GoDaddy, my website is MikiCat Designs and after fiddling for months, in March finally got my site to where I liked it. Unfortunately, I haven't kept it up. Anyway, I went there a couple of weeks ago and found that the PHP includes I'd had in the HTML files were no longer working. I get the error [an error occurred while processing this directive]. Weird. Worked fine before, now it doesn't. Called GoDaddy who says they didn't do anything . Uh huh. Now I know I didn't do anything since I haven't updated the site in 4 months! So, what could have caused this problem?

I've had no idea how to fix it other than to change the index.html to index.php and, of course, do a minor repair on the include. Works fine and my header.php and leftsidebar.php show up again. Yay! Herein lies another problem.

My header and sidebar link to other files some of which were HTML files. But those HTML files had the same header and sidebar issues as my INDEX file. This had to be fixed so I changed them to PHP. Still working on the changes. I deleted most of the HTML files from the server.

So the links in my header and lefsidebar files now point to PHP files. e.g., gallery.html to gallery.php. When called on it's own, gallery.php shows up perfectly. But, no matter what I do, the header file still tries to load the HTML file!!! It's driving me crazy. What have I done wrong? I've deleted them both, refreshed, cleared cache and uploaded them again but I still get the same error. If you click on Gallery in the header, it tries to link gallery.html not gallery.php! Funny thing is, the leftsidebar now works perfectly and points to the proper PHP files. I'm completely confused now.

I don't know why my header is insisting on trying to load the HTML page instead of the PHP. But here's my header code. Lines 41 and 42 work, lines 43, 44 and 45 do not.   * Quietly banging head against wall while awaiting help.

<html>
  <body>
  <!-- begin #header -->
  <!-- begin Facebook script -->
  <div id="fb-root"></div>
  <script>(function(d, s, id) {
    var js, fjs = d.getElementsByTagName(s)[0];
    if (d.getElementById(id)) return;
    js = d.createElement(s); js.id = id;
   js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
   fjs.parentNode.insertBefore(js, fjs);
 }(document, 'script', 'facebook-jssdk'));</script>
 <!-- end Facebook script -->
 
 <div id="container">
 
 <div id="headerright">
 <form method="post" action="search.php"> 
 <input type="hidden" name="posted" value="1"/> 
 <input type="text" name="stext" size="16"/>
 <input type="submit" name="Search" value="Search"/> </form>
 </div>
 
 <div id="headerright1">
 <form method="post" action="cart.php">
 <input type="hidden" name="posted" value="1"/>
 <input type="image" name="Submit" src="images/cartgrn.gif" />
 </form></div>
 
 <div id="headerright2">
 <form method="post" action="clientlogin.php">
 <input type="hidden" name="posted" value="2"/>
 <input type="image" name="Submit" src="images/login2.gif" />
 </form>
 </div>
 
  <div id="header">
     <div id="PLHIMYFUFUJCDiv" style="position:absolute; left:567px; top:82px; width:490px; z-index:50; white-space:nowrap; direction:ltr;">
       <div id="PLHIMYFUFUJCMain" style="width:490px;height:40px">
         <ul style="margin:0px;padding:0px;font:italic normal bold 14px Georgia,Times New Roman,Times,serif;">
       <li style="float:left;list-style:none;text-align:center;width:98px;height:40px;background-image:url(images/homenav.gif);"><a href="http://www.mikicatdesigns.com" target="_self" title="MikiCat&nbsp;Designs" style="display:block;height:28px;padding:12px 0px 0px 0px;color:#00008b;text-decoration:none;">Home</a></li>
       <li style="float:left;list-style:none;text-align:center;width:98px;height:40px;background-image:url(images/homenav.gif);"><a href="http://www.mikicatdesigns.com/categories.php" target="_parent" title="Handmade&nbsp;jewelry&nbsp;and&nbsp;accessories&nbsp;" style="display:block;height:28px;padding:12px 0px 0px 0px;color:#00008b;text-decoration:none;">Products</a></li>
       <li style="float:left;list-style:none;text-align:center;width:98px;height:40px;background-image:url(images/homenav.gif);"><a href="http://www.mikicatdesigns.com/gallery.php" target="_parent" title="Handmade&nbsp;&nbsp;jewelry&nbsp;gallery&nbsp;of&nbsp;past&nbsp;lives" style="display:block;height:28px;padding:12px 0px 0px 0px;color:#00008b;text-decoration:none;">Gallery</a></li>
       <li style="float:left;list-style:none;text-align:center;width:98px;height:40px;background-image:url(images/homenav.gif);"><a href="http://www.mikicatdesigns.com/aboutmikicatdesigns.php" target="_parent" title="Learn&nbsp;about&nbsp;MikiCat&nbsp;Designs" style="display:block;height:28px;padding:12px 0px 0px 0px;color:#00008b;text-decoration:none;">About&nbsp;Us</a></li>
       <li style="float:left;list-style:none;text-align:center;width:98px;height:40px;background-image:url(images/homenav.gif);"><a href="http://www.mikicatdesigns.com/contactmikicatdesigns.php" target="_parent" title="Contact&nbsp;MikiCat&nbsp;Designs" style="display:block;height:28px;padding:12px 0px 0px 0px;color:#00008b;text-decoration:none;">Contact&nbsp;Us</a></li>
       </ul></div><div id="PLHIMYFUFUJCLevel2" style="float:left;width:490px;height:40px;"></div>
 

	

  <script type="text/javascript" src="Pluginlab/Scripts/PLHIM.js">/* PLHIMMenu script ID:PLHIMYFUFUJC */</script>
     </div>
   <!-- end #header -->

If one file includes another, do I need to start a session in each, or does the included file "inherit" the session?

script_1.php

// Initialize Session.
session_start();

// Require Function
require_once('script_2.php');



script_2.php

// Initialize Session.
session_start(); DO I NEED THIS HERE?????????

if ($_SESSION['loggedIn'] == TRUE){
do something
}



Debbie

Hi all

My site is build using php includes. the index.php file contains code like
<?php
if(@$_GET['page'] == "web-design"){
   include("includes/web-design.php");
} else if(@$_GET['page'] == "hosting"){
   include("includes/hosting.php");   
}
 else {
    include("includes/home.php");
 }
?>

I have created a sub domain blog.maplewebdesign.co.uk and a sub dircetory named blog. The link to this part of my site doesn't use includes, I want it to link directly to that sub directories index.php page.
This works fine, but then when I click on a different link anywhere on the site my url is as follows
www.maplewebdesign.co.uk/blog/index.php?page=home

For some reason it is keeping the blog/ in the URL

If you want to see go to
http://www.maplewebdesign.co.uk/blog/
then click on a differnt link and check out the URL

What am I doing wrong?

Thanks
Adi